Document -no_explicit (6e161ee3) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

doc/apps/ocsp.pod

+8 −2

Original line number	Diff line number	Diff line
		@@ -40,6 +40,7 @@ B<openssl> B<ocsp>
		[B<-no_cert_verify>]
		[B<-no_chain>]
		[B<-no_cert_checks>]
		[B<-no_explicit>]
		[B<-port num>]
		[B<-index file>]
		[B<-CA file>]
		@@ -189,6 +190,10 @@ testing purposes.
		do not use certificates in the response as additional untrusted CA
		certificates.

		=item B<-no_explicit>

		do not explicitly trust the root CA if it is set to be trusted for OCSP signing.

		=item B<-no_cert_checks>

		don't perform any additional checks on the OCSP response signers certificate.
		@@ -301,8 +306,9 @@ CA certificate in the request. If there is a match and the OCSPSigning
		extended key usage is present in the OCSP responder certificate then the
		OCSP verify succeeds.

		Otherwise the root CA of the OCSP responders CA is checked to see if it
		is trusted for OCSP signing. If it is the OCSP verify succeeds.
		Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
		CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
		verify succeeds.

		If none of these checks is successful then the OCSP verify fails.